CyberReady@teex.tamu.edu | 800.541.7149

Why you need a cybersecurity incident response specialist

By Roger A. Grimes

Tens of thousands of companies, organizations and cities are being savagely taken offline by ransomware. Some targeted entities handle it relatively fine and are down a day or three. Others are down for weeks, and sometimes they are hit again. The difference between a quick recovery and a chronic problem often depends on who you call for help.

I talked to one of the best in the game recently. John F. Mullen, partner with Mullen Coughlin, LLC, has been involved with thousands of cybersecurity incident responses in his career. His firm was involved in 1200 just last year.

You probably never heard of Mullen Coughlin. I didn’t before I spoke with a city CISO friend of mine. When he called the phone number his cyber insurance company gave him to pre-establish a relationship for security responses, he ended up speaking with John.

If you have a cybersecurity incident and have purchased cyber insurance, your insurance company doesn’t have the professional folks to handle your technical cybersecurity incident response, no more than the insurance company would patch the fiberglass of a boat after a hurricane claim. Insurance companies do insurance and underwriting. When a claim is made and the damage has to be fixed, they sub it out.

Why use a specialized incident response firm

John sees
three reasons why an organization should use a firm like Mullen Coughlin after
an attack. First, they have experience. Entities calling Mullen are often
already working the incident response but using local IT firms they know.
That’s OK, but those local firms usually don’t have equivalent experience of
the forensic teams available to Mullen Coughlin. As John put it, “It’s all we
do.” Plus, sometimes the reason the customer was compromised was because of
something the local IT service did, like a missed patch or bad configuration
setting.

Second,
John’s team are all lawyers. Anything they discuss and do on behalf of the
customer is privileged. That’s legalese for “anything we discuss will likely
not be shared with anyone else.” Everybody John hires comes under the
privileged communication umbrella. Local IT firms can’t give you that.

Third,
and most important, firms like John’s and the insurance carriers have already
vetted all the necessary forensic, PR and mass mailing/ID protection service
providers needed to cover a customer’s situation.

Call ahead and do annual security reviews

John recommends that that if you have the opportunity, call the incident response firm your cyber insurance works with before an attack occurs. He said that maybe 1% of his customers call ahead of time to meet his team and find out how the process is going to work. He welcomes these customer calls because they allow him to establish trust and share how the process will work. This saves precious minutes when that emergency call happens. So, call ahead of time.

John also recommends that every organization purchase cyber insurance and have an outside security review performed at least annually. He also suggests using an IT firm to conduct the review that is not the same as the one currently providing regular services. Make sure to change which outside firm you use every year. Different firms find different things, he says, and you want a unique, independent perspective each time you do it.

How ransomware is changing

John says
ransomware attacks have changed over the years. Just a couple of years ago,
ransomware typically activated as soon as it entered an organization and
encrypted the desktop it was on. Now the attacker is far more likely to be
inside of an organization for multiple days or weeks, figuring out how to
maximize their access to the penetrated system. He says you can’t automatically
trust your offline backups, because the ransomware guys are working to block
even that avenue of safety.

I asked
if social engineering was involved in the
majority of cases of ransomware. John says that social engineering was likely
involved in half or over half of the cases, especially if you include
third-party service providers that are compromised to reach the ultimate
victim. Misconfiguration and unpatched software also frequently played a role.

Some
research claims that paying a ransom demand does not result in getting a
working decryptor key up to 40% of the time. John says his experience is
different. “Ninety-five percent of the time, when the customer pays the ransom
it results in less recovery work and downtime than if they didn’t pay it.”

If you
ever need to call a firm like John’s, he offers one piece of advice to make
things go smoother: “Make sure the people calling my firm have the necessary
authority to make decisions. You can’t imagine how many times we come up with a
plan of action only to have to wait again while the right decision makers are
contacted, and I have to say everything again to get a decision.” Making sure
the person calling has the necessary authority can only make everything happen
faster.

A security columnist since 2005, Roger Grimes holds more than 40 computer certifications and has authored ten books on computer security.